Account confirmers, Anti-spam team, Confirmed users, Bureaucrats and Sysops emeriti
4,925
edits
CA/Symantec Issues: Difference between revisions
Jump to navigation
Jump to search
Update Issue V to include feedback from Kathleen
(Unstrike and update Issue Y) |
(Update Issue V to include feedback from Kathleen) |
||
| Line 296: | Line 296: | ||
===Symantec Response=== | ===Symantec Response=== | ||
* Symantec state: "Intel's subordinate CA, which expired in 2016, was not subject to audits either contractually or by previous agreements with both Mozilla and Microsoft given its limited use." | * Symantec state: "Intel's subordinate CA, which expired in 2016, was not subject to audits either contractually or by previous agreements with both Mozilla and Microsoft given its limited use." This is true; the CA is mothballed and got out of storage only once a quarter to issue a CRL. Symantec agreed privately with Mozilla that audits were not necessary for a CA in such a state. | ||
* Symantec state: "Symantec provided the letter quoted below to Google, Mozilla, Microsoft, and Apple when we shared the Point in Time Audits on September 6, 2016 to specifically address the GeoRoot audit status and remediation plan. That cover letter outlined the plan to wind down the Aetna and UniCredit subordinate CAs." This is true, although Aetna and UniCredit are not mentioned by name in the letter. | |||
Symantec have also [https://bug1334377.bmoattachments.org/attachment.cgi?id=8860216 stated] that, as of April 21st, 2017, the "Intel, Aetna, and Unicredit CAs have all expired or been revoked." This leaves Google and Apple as the only participants in the GeoRoot program. They also say that: "We agree that getting audits for Aetna and Unicredit took too long. After many discussions, requests, and delays, they finally produced the reports that they did. This experience informed our decision to transition them to alternative solutions." | Symantec have also [https://bug1334377.bmoattachments.org/attachment.cgi?id=8860216 stated] that, as of April 21st, 2017, the "Intel, Aetna, and Unicredit CAs have all expired or been revoked." This leaves Google and Apple as the only participants in the GeoRoot program. They also say that: "We agree that getting audits for Aetna and Unicredit took too long. After many discussions, requests, and delays, they finally produced the reports that they did. This experience informed our decision to transition them to alternative solutions." | ||
| Line 306: | Line 305: | ||
===Further Comments and Conclusion=== | ===Further Comments and Conclusion=== | ||
It seems that the NTT DoCoMo infrastructure did fall through the cracks audit-wise until 2015-2016. | It seems that the NTT DoCoMo infrastructure did fall through the cracks audit-wise until 2015-2016. | ||
Given the power which those organizations held, Symantec did not pursue Aetna and UniCredit for proper audits and appropriate compliance with sufficient alacrity (on UniCredit, see Issue P). | Given the power which those organizations held, Symantec did not pursue Aetna and UniCredit for proper audits and appropriate compliance with sufficient alacrity (on UniCredit, see Issue P). However, to a degree, Symantec did keep Mozilla somewhat informed of what was going on, and Mozilla made no comment. It is our understanding that at least one other root program was applying more pressure to remediate this situation than Mozilla was. | ||
==Issue W: RA Program Audit Issues (2013 or earlier - January 2017)== | ==Issue W: RA Program Audit Issues (2013 or earlier - January 2017)== | ||